Linux Kernel KVM for ARM64 vCPU Event Initialization Vulnerability

A vulnerability in the Linux kernel's KVM module for ARM64 architecture allows userspace to access vCPU events of uninitialized vCPUs. This issue arises because KVM does not properly validate the initialization state of vCPUs before allowing userspace to pend events. As a result, KVM may route or inject exceptions based on random, uninitialized data. This flaw can cause a mismatch between the injection code and the hypervisor, potentially placing the vCPU in an illegal state for AArch64. During the next exception injection, this discrepancy triggers a kernel bug, leading to a crash.

Impact

Exploitation of this vulnerability causes a kernel crash due to a triggered bug in the exception handling code, disrupting normal system operations.

Reproduction

The vulnerability can be reproduced by using a tool like syzkaller to send ioctl commands that pend vCPU events for a vCPU that has not been initialized. This will cause KVM to inject exceptions based on uninitialized data, leading to a crash when the injection code and hypervisor disagree on the vCPU's state.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.